My suggestion is only for 3.5 / 3.6, because Windows XP is no longer supported. Starting with Windows Vista, both cmd.exe and CreateProcess support this behavior. I realize that disabling searching the current director by default is going beyond what cmd.exe does, which is to require opting in via the environment variable. But Python can choose to follow the more-modern behavior of PowerShell as a precedent here.
As Steve mentioned, technically a program isn't supposed to check for the environment variable, but instead call NeedCurrentDirectoryForExePath. This would require either adding a built-in function, e.g. to the _winapi module, or require ctypes:
>>> kernel32.NeedCurrentDirectoryForExePathW('command')
1
>>> os.environ['NoDefaultCurrentDirectoryInExePath'] = '1'
>>> kernel32.NeedCurrentDirectoryForExePathW('command')
0
Note that it requires first normalizing the path to replace slashes with backslashes, which is unusual for the Windows API.
>>> kernel32.NeedCurrentDirectoryForExePathW(r'.\command')
1
>>> kernel32.NeedCurrentDirectoryForExePathW('./command')
0